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1 Introduction 

Cryptography is the art of code-making, code-breaking and secure communication. It 
has a long history of military, diplomatic and commercial applications dating back to 
ancient societies. In these lectures an introduction to basic notions of classical and 
quantum cryptography is given. 

A well known example of cryptosystem is the Caesar cipher. Julius Caesar allegedly 
used a simple letter substitution method. Each letter of Caesar's message was replaced 
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by the letter that followed it alphabetically by 3 places. This method is called the 
Caesar cipher. The size of the shift (3 in this example) should be kept secret. It is 
called the key of the cryptosystem. It is an example of the traditional cryptosystem. 
It is also called the private key cryptography. Anyone who knew the enciphering key 
can decipher the message. Mathematical theory of classical cryptography has been 
developed by C. Shannon. 

There is a problem in the private key cryptography which is called the problem 
of key distribution. To establish the key, two users must use a very secure channel. 
In classical world an eavesdropper in principle can monitor the channel without the 
legitimate users being aware that an eavesdropping has taken place. 

In 1976 W. Difiie and M. Hellman |l|] discovered a new type of cryptosystem and 
invented public key cryptography. In this method the problem of key distribution was 
solved. A public key cryptosystem has the property that someone who knows only 
how to encipher cannot use the enciphering key to find the deciphering key without 
a prohibitively lengthy computation. The best-known public key cryptosystem, RSA 
[§] , is widely used in Internet and other business. The system relies on the difficulty of 
factoring large integers. 

In the 1970's S. Wiesner and CH. Bennett and G. Brassard [^] (their method 
is the called BB84 protocol) have proposed the idea of quantum cryptography. They 
used the sending of single quantum particles. The method of quantum cryptography 
also can solve the key distribution problem. Moreover it can detect the presence of 
an eavesdropper. In 1991 A. Ekert ^ proposed to use in quantum cryptography the 
phenomena of entanglement and Bell's inequalities. 

Experimental quantum key distribution was demonstrated for the first time in 1989 
and since then tremendous progress has been made. Several groups have shown that 
quantum key distribution is possible, even outside the laboratory. In particular it was 
reported the creation of a key over the distance of several dozens kilometers 0. 

First we discuss Caesar's cryptosystem and then in Sect. 3 elements of number 
theory needed for cryptography are discussed. In Section 4 the public key distribution 
and the RSA cryptosystem is considered. The BB84 quantum cryptographic protocol 
is discussed in Sect. 8. Some useful notions of the mutual information and Shannon's 
entropy are included and proofs of security of the protocol is discussed. In Sect 9. 
the Einstein-Podolsky-Rosen-Bell-Ekert (EPRBE) quantum cryptographic protocol is 
considered. The security of the protocol is based on Bell's theorem describing nonlocal 
properties of entangled states. The importance of consideration of entangled states 
in space and time is stressed. A modification of Bell's equation which includes the 
spacetime variables is given and the problem of security of the EPRBE protocol in real 
spacetime is discussed. 
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2 Private Key Cryptosystems 



Cryptography is the art of sending messages in disguised form. We shall use the 
following notions. 

Alphabet - a set of letters. 

Plaintext - the message we want to send. 

Ciphertext - the disguised message. 

The plaintext and ciphertext are broken up into message units. A message unit 
might be a single letter, a pair of letters or a block of k letters. 

An enciphering transformation is a function / from the set CP of all possible plaintext 
message units to the set C of all possible ciphertext units. We assume that / is a 
1 — to — 1 correspondence. / : CP — > C. The deciphering transformation is the map f^^ 
which goes back and recovers the plaintext from the ciphertext. Schematically one has 
the diagram 

Any such set-up is called a cryptosystem. 
2.1 Julius Caesar's cryptosystem 

Let us discuss the Caesar cryptosystem in more detail. Suppose we use the 26-letter 
Latin alphabet A,B,... ,Z with numerical equivalents 0,1,... ,25. Let the letter 
a; e {0, 1, ... , 25} stands for a plaintext message unit. Define a function 

/:{0,... ,25}^{0,... ,25} 

by the rule 



x + 3, if X < 23 

x + 3 - 26 = X - 23, if X > 23 



In other words f{x) = a; + 3 (mod 26). 

To decipher a message one subtracts 3 modulo 26. 

Exercise. According to the Caesar's cryptosystem the word " COLD" reads " FROG" . 

More generally consider the congruence (see Sect. 3 about the properties of con- 
gruences) 

f{x) ^x + b (mod N) 

i.e. 

^x + b, iix<N-b 
x-{N-b)^x + b-N, ifx>N-b 
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In the case of Caesar's cryptosystem = 26, 6 = 3. To decipher the message one 
subtracts b modulo A^. 

We could use a more general affine map, i.e. f{x) = ax + b (mod A^). To decipher 
a message y = ax + b (mod A^) one solves for x in terms of y obtaining 

X = a'y + b' (mod A^) 

where a' is the inverse of a modulo A^ and b' = —a^^b (mod A^). Assume a is relatively 
prime to A^, then there exists a~^ (see Sect. 3). 

In this example the enciphering function / depends upon the choice of parameters 
a and b. The values of parameters are called the enciphering key Ke = (a, b). In order 
to compute (decipher) we need a deciphering key Ku. In our example Kjj = (a', b') 
where a' = a~^ (mod A^) and 6' = —a~^b (mod A^). 

2.2 Symmetric Cryptosystems - DES and GOST 

Suppose that the algorithm of the cryptosystem is publicly known but the keys are kept 
in secret. It is a private key cryptography. Examples of such cryptosystems are Data 
Encryption Standard (DES), with 56-bit private key (USA, 1980) and a more secure 
GOST-28147-89 which uses 256-bit key (Russia, 1989). In such cryptosystems anyone 
who knows an enciphering key can determine the deciphering key. Such cryptosystems 
are called symmetric cryptosystems. 

3 Elements of Number Theory 

In this section we collect some relevant material from number theory 0. 

Euclid's Algorithm. Given two integers a and b, not both zero, the greatest 
common divisor of a and b, denoted g.c.d.{a,b) is the biggest integer d dividing both 
a and b. For example, g.c.d.(9, 12)= 3. 

There is the well known Euclid's algorithm of finding the greatest common divisor. 
It proceeds as follows. 

Find g.c.d.{a,b) where a > 6 > 0. 

1) Divide b into a and write down the quotient qi and the remainder ri : 

a = qib + ri, < ri < 6, 

2) Next, perform a second division with b playing the role of a and ri playing the role 
of b: 

b = q2ri + r2, < r2 < ri. 
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3) Next: 



ri = q3r2 + rs, < < r2. 



Continue in this way. When we finally obtain a remainder that divides the previous 
remainder, we are done: that final nonzero remainder is the g.c.d. of a and b : 

n = qt+2rt+i + rt+2, 

We obtain: rt+2 = d =g.c.d.{a,h). 
Example. Find ^.c.d.(128, 24) : 

128 = 5-24 + 8, 
24 = 3-8 



We obtain that ^.c.d.(128, 24) = 8. 

Let us prove that Euclid's algorithm indeed gives the greatest common divisor. 
Note first that 6 > ri > r2 > ... is a sequence of decreasing positive integers which can 
not be continued indefinitely. Consequently Euclid's algorithm must end. 

Let us go up through out Euclid's algorithm, rt+2 — d divides rj+i, rt, ...,ri,b,a. 
Thus (i is a common divisor of a and b. 

Now let c be any common divisor of a and b. Go downward through out Euclid's 
algorithm, c divides ri,r2, ...,rt+2 — d. Thus d, being a common divisor of a and b, 
is divisible by any common divisor of these numbers. Consequently d is the greatest 
common divisor of a and b.O 

Another (but similar) proof is based on the formula 

g.c.d.{qb + r,b) — g.c.d.{b, r). 

Corollary. Note that from Euclid's algorithm it follows (go up) that if d =g.c.d.{a, b) 
then there are integers u and v such that 

d — ua-\- vb. (1) 

In particular one has 

ua = d (mod b) (2) 

One can estimate the efficiency of Euclid's algorithm. By Lame's theorem the 
number of divisions required to find the greatest common divisor of two integers is 
never greater that five-times the number of digits in the smaller integer. 
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Congruences. An integer a is congruent to h modulo m, 

a = b (mod m) 

iff m divides (a — b). In this case a = b + km where k = 0, ±1, ±2, .... 

Proposition. Let us be given two integers a and m. The following are equivalent 

(i) There exists u such that au = 1 (mod m). 

(ii) g.c.d.{a, m) = 1. 
Proof. From (i) it follows 

ab — mk = 1. 

Therefore the g.c.d.{a,m) = 1, i.e. we get (ii). 

Now if (ii) is valid then one has the relation (|^) for d = l,b = m: 

au = 1 (mod m) 

which gives (i).n 

Let us solve in integers the equation 

ax = c (mod m) (3) 

We suppose that g.c.d.[a,m) = 1. Then by the previous proposition there exists such 
b that 

ab = 1 (mod m). 
Multiplying Eq (|) to b we obtain the solution 

X = be (mod m) (4) 

or more explicitly 

X = bc + km, k = 0, ±1, ±2, ... 
Exercise. Find all of the solutions of the congruence 

3x = 4 (mod 7). 

Chinese Remainder Theorem. Suppose there is a system of congruences to 
different moduli: 

X = ai (mod mi), 
X = a2 (mod m2), 

a; = (mod 
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Suppose g.c.d.{mi,mj) — 1 ior i ^ j. Then there exists a solution x to all of the 
congruences, and any two solutions are congruent to one another modulo 

M = 17111712. ..rrit. 

Proof. Let us denote Mj = M/rrii. There exist Ni such that 

MiNi = 1 (mod rrii) 

Let us set 

X = y a^MiNi 
This is the solution. Indeed we have 

EttiMiNi — oiMiMi + ... = oi + 02 + ... = ai (mod mi) 
i 

and similarly for other congruences. □ 
Wc will need also 

Fermat's Little Theorem. Let p be a prime number. Any integer a satisfies 

= a (mod p) 
and any integer a not divisible by p satisfies 

a^~^ = 1 (mod p). 

Proof. Suppose a is not divisible by p. Then {Oo, la, 2a, {p — l)a} form a complete 
set of residues modulo p, i.e. {a, 2a, {p— l)a} are a rearrangement of {1, 2, ...,p— 1} 
when considered modulo p. Hence the product of the numbers in the first sequence is 
congruent modulo p to the product of the members in the second sequence, i.e. 

aP-\p-l) = (p- 1)! (mod p) 

Thus p divides (p — l)(a^~^ — 1). Since (p — 1)! is not divisible by p, it should be that 
p divides {qP'^ - !).□ 
The Euler function. 

The Euler function (f{n) is the number of nonnegative integers a less then n which 
are prime to n: 

ip{n) = #{0 < a < n : g.c.d.{a,n) = 1} 

In particular ip{l) = 1, ip{2) = 1, ip{6) = 2, .... One has ip{p) — p — 1 ior any prime 
P- 

Exercise. Prove: 93(p") = p" — p'"'^^ for any n and prime p. 
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The Euler function is multiplicative, meaning that 

ip{mn) — ip{m)ip{n) 

whenever g.c.d.{m,n) — 1. 
If 

then 

P\ Pk 

In particular, if n is the product of two primes, n = pq, then 

(p{n) = ip{p)(p{q) = (p - l)(g - 1) 

There is the following generalization of Fermat's Little Theorem. 
Euler's theorem. If g.c.d.{a,m) — 1 then 

Proof. Let ri, r2, .... r(p(m) be classes of integers relatively prime to m. Such a system is 
called a reduced system of residues mod m. Then ari, ar2, ar^(^m) is another reduced 
system since g.c.d.{a,m) = 1. Therefore 

ari = r7r(i), ar2 = r^(2): ar^(m) = ^^ttM (mod m) 
On multiplying these congruences, we get 

a'^M^^^2...r^(m) = ^i'^2--r^(m) (mod m) 
Now since rir2...r(^(m) is relatively prime to m the theorem is proved. □ 



4 Public Key Cryptography and RSA Cryptosys- 
tem 

First let us define some extra notions that we will use along with ones defined in the 
previous sections. 

Information channel - a way to transmit information from one endpoint to an- 
other. 

Trusted channel - an information channel where it is believed that is impossible 
to eavesdrop the transmitted information. For example military optical communication 
channels. 
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Public channel - an information channel where the transmitted information could 
be quite easily overheard. An example is the Internet. 

Let us introduce our main characters: Alice, Bob and Eve. Alice wants to send 
ciphertext to Bob. Eve, the eavesdropper, wants to catch the ciphertext and break it, 
i.e. decipher without knowing the deciphering key. In our scheme in order to produce 
a ciphertext from the plaintext Alice has to have an enciphering key. In turn. Bob to 
read (decipher) the Alice's ciphertext needs a deciphering key. If Alice and Bob use a 
private key cryptosystem, i.e. a cryptosystem where enciphering and deciphering keys 
could be easily produced one from another they come to the key distribution problem. 
Indeed Alice and Bob should use a trusted channel to share the keys. 

From the first glance it seems to be impossible to get rid of the need of the secret 
channel. However in 1976 W. Diffie and M. Hellman ||T]] discovered a new type of 
cryptosystem called public key cryptosystem where there is no key distribution problem 
at all. A public key cryptosystem has the property that having the enciphering key 
one cannot find the deciphering key without a prohibitively lengthy computation. In 
other words the enciphering function / : J" — C is easy to compute if the enciphering 
key Ke is known, but it is very hard to compute the inverse function /^^ : C — T 
without knowing the deciphering key Kd even having the enciphering key Ke. 

One of the most widely used public key cryptosystem is RSA - a cryptosystem 
named after the three inventors, Ron Rivest, Adi Shamir, and Leonard Adleman 0. 
The RSA cryptosystem is based on the fact that in order to factorise a big natural 
number with digits any classical computer needs at least a number of steps that 
grows faster than any polynomial in A^. Faithfully speaking there is no rigorous proof 
of this fact but all known factoring algorithms obey this fact. 

Let us describe RSA cryptosystem in more detail. First we describe the protocol, 
i.e. the steps our characters Alice and Bob should perform in order to allow Alice send 
enciphered messages to Bob. The mathematical basis of the RSA cryptosystem will be 
described in the next section. 

4.1 The RSA Protocol 

The RSA protocol solves the following problem. Bob wants to announce publicly a 
public key such that Alice using this key will send to him an enciphering message and 
nobody but Bob will be able to decipher it. 

1. Bob generates public and private keys - each of them is a pair of two natural 
numbers - (e,n) and {d,n). Here Kg = (e,n) is the enciphering key (public) and 
Kd = {d,n) is the deciphering key (private). 

In order to generate public and private keys Bob does the following: 

a) Takes any two big prime numbers p and q and compute n = pq and the 
value of the Euler function ip{n) = (p — l)(g — 1). In modern cryptosystems 
one uses logp ~ logg ~ 1000. 
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b) Takes any e < n, such that gcd(e, (p{n)) = 1. 

c) Computes d = (mod v^(n)), i.e. finds natural d such that 



ed = 1 (mod f{n)), 1 < d < (f{n) 



(5) 



2. Bob sends a pubhc key {n, e) to Ahce via a pubhc channel 

3. Ahce having Bob's pubhc key (n, e) and a plaintext m (assume m is a natural 
number and m < n) that she wants to send to Bob computes 



and gets the Alice's plaintext m, because m = (mod n) 
Nobody but Bob wih be able to decipher Alice's message. 

4.2 Mathematical Basis of the RSA Protocol 

In this section we will show why the RSA cryptosystem works. Then we will discuss 
the security of the protocol, i.e. how hard for Eve, the eavesdropper, to decipher the 
Alice's message without knowing the private key. 

If order to prove that RSA cryptosystem works we have to prove that the compu- 
tations that Bob does on the step d). of the protocol is inverse to the computations 
that Alice does on the step c). That is 



c = nf (mod n) 



and sends c (ciphertext) to Bob. 

4. When Bob receives c from Alice he computes 



c (mod n) 



c'^ = m (mod n) 



From (1) we have 



ed = 1 + k(f{n), A; G Z 



We have 



= m 



ed 



= m ■ m' 



(6) 



Finally using the Euler's theorem for the rhs of (|^) we obtain 

c'^ = m (mod 



11 



Now let us investigate the security of the RSA cryptosystem. It seems to be rather 
straightforward for Eve to obtain the Bob's private key having his public key. The only 
thing she has to do is having n and e solve the congruence 

de = 1 (mod f{n)), 1 < d < f{n) 

The problem that Eve would face here is to compute (p{n). To this end she has to know 
p and q, i.e. she has to solve the factoring problem. The practical solution of this 
problem is not possible with modern technology. For a discussion of this problem see 
for example f^. 



5 Shannon's Entropy and Mutual Information 



Here we summarize some notions from information theory [Ty, |l^, |T3l used in quantum 
cryptography for the consideration of security of quantum cryptographic protocols. 

Privacy is often expressed in terms of Shannon's entropy or mutual information. 
Let {Q, JF, P) be a probability space and X, Y and Z three random variables taking 
values in a discrete set on the real line. Let p{x, y, z) = P{X = xAY = yAZ = z) 
is the joint distribution, p{x,y) = P{X = x AY = y) is the marginal distribution, 
p{x\y) = P{X = x\Y = y) is the conditional distribution, and p{x) = P{X = x), 
p{y)=P{Y = y). 

The Shannon entropy of X is given by 

H{X) = - ^p{x) \ogp{x). 

X 

The mutual information between X and Y is given by 

I{X-Y) = Y,p{x,y)\og(^^y 
^ \p{x)p{y)J 

The conditional Shannon entropy of X given Y is given by 

H{X I Y) = - ^p{x, y) \ogp{x\y). 

One has 

/(X ; Y) = H{X) - H{X \ Y) = H{Y) - H{Y \ X). 
The conditional mutual information between X and Y given Z is 
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Quantum entropy of an observable A in the state p is defined by 

H{A,p) = -"^p^i, p) log p(i,p) (7) 

i 

where p{-,p) is the probabihty distribution of an observable A in the state p. If the 
state p is pure, i.e. p = \ip){{p\, where is a unit vector in a Hilbert space, one can 
rewrite (0) as 

H{A^) = -Y^m^)\Hogm^)\' (8) 

i 

where is an orthonormal basis consisting from eigenvectors of the observable A. 



6 Entropic Uncertainty Relations 

The fundamental Heisenberg uncertainty relation is a particular case of the Robertson 
inequality 

A{A,^)A{B,^)>^m[ABW\ 
where A and B are two observables and 

Here we discuss a generalization of the uncertainty relation which uses the notions of 
entropy and mutual information. 

Theorem 1 . For any nondegenerate observables A and B in the finite dimensional 
Hilbert space the entropic uncertainty relation holds [|, ^ 

H{A,p) + H{B,p)>~2\ogc (9) 

where c is defined as the maximum possible overlap of the eigenstates of A and B 

c = max I {a\b) \ (10) 

a,b 

Here {\a)} and {\b)} are orthonormal bases consisting from eigenvectors of A and B 
respectively. 

One can check that for any nondegenerate observable A in A^-dimensional Hilbert 
space there exists an upper bound on the entropy 

H{A,p) < log N (11) 
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Let us illustrate the entropic uncertainty relation on a simple spin-| particle. Taking 
Pauli matrices 

-(?o)--(J-0 

as an observables with eigenstates 

we compute c = 1/ ^J2. Now taking 2 as a base of the logarithm, the relation (|^) states 
that for any unit vector (/? G it holds 

5^(|(e.|^)plogKe.|^)P + K/i.|y.)riog|(/..|y.)p)<-l (14) 

i=l,2 

Now we will formulate the uncertainty relation using the mutual information. Con- 
sider a quantum system which is described by density operator pi with probability pj. 
Then the density operator of the whole ensemble E = {pi} of all possible states of the 
system is given by 

P = ^PiPi 

i 

The mutual information corresponding to a measurement of an observable A is given 
by 

IiA£) = HiA,p)-J2PiHiA,pi) 



From using ( pT]) one can obtain the following theorem (information exclusion 
relation W^) 

Theorem 2. Let A and B be arbitrary observables in A^- dimensional Hilbert space, 
then 

I{A,£) + I{B,£) < 2 log iVc 

where c is defined by (p^Of). 



7 The No Cloning Theorem 

The eavesdropper. Eve, wants to have a perfect copy of Alice's message. However 
Wootters and Zurek [T^] proved that perfect copying is impossible in the quantum 
world. 

It is instructive to start with the following 
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Proposition. If 7i is a Hilbert space and 0o is a vector from 7i then there is no a 
hnear map M: Ti^Ti^T-i^Ti. with the property M{iIj ® </>o) = ip ^ ip ioi any ip. 
Proof. Indeed we would have 

M{2ijj (g) (f)o) = 2'ip (g) 2ijj = Aijj (g) ijj 

But because of linearity we should have 

M(2^ ® 0o) = 2M(V^ ® 0o) = ® 

This contradiction proves the claim. Now let us prove the no cloning theorem. 

Theorem. Let Ti. and /C be two Hilbert spaces, dimTi > 2. Let M be a a linear 
map (copy machine) 

with the property 

for any ifj Eli. and some nonzero vectors ipQ ETi and C,o E K, where rj^ E JC can depend 
on ijj. Then M is a trivial map, M = (i.e. rj^ = for any ip). 
Proof. Let {cj} be an orthonormal basis in Ti. We have 

M{ei ® 00 ® 'Co) = ei®r]i 

where rji are some vectors in /C. To prove the theorem we prove that rji = 0. If i j 
then (ci + ej)/\/2 is a unit vector (here we use that dimTi > 2). We have the equality 



-^(ci + ej) (f)Q (g) = -^Ci (g) (/)o ® Co + 



Let us apply the map M to both sides of this equality. Then we get 

-^(Ci + ej) 0—{ei + ej) ® r]ij = ® -^e^ ® r/^ + —ej ® -^e^ ® r/^- (15) 

where r/jj is a vector in /C. We can rewrite ( p3D as 

Cj Cj (g) (r^ij - r/i) + Cj (8 ej (g r^j^ + (g Cj r^jj + (8 ej (g (r/j^ - r^^) = 
Now taking into account that Cj and ej belong to a basis in 7i we get 

Vij -111 = 0, Vij = 0, Vij -Vj = 

Hence rji = for any i and Theorem is proved. 

Remark. If dim?i = 1, i.e. Ti = C, then Theorem is not valid. For (pQ = 1 and 

ip E C one can set M{iP^q) = ip^Q = ip'^r]^ where rj^ = ^o/ip for ip ^ 0. 
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We proved that Eve can not get a perfect quantum copy because perfect quantum 
copy machines can not exist. The possibihty to copy classical information is one of 
the most crucial features of information needed for eavesdropping. The quantum no 
cloning theorem prevents Eve from perfect eavesdropping, and hence makes quantum 
cryptography potentially secure. 

Note however that though there is no a perfect quantum cloning machine but there 
are cloning machines that achieve the optimal approximate cloning transformation 
compatible with the no cloning theorem, see O, ITH . 



8 The BB84 Quantum Cryptographic Protocol 

Quantum cryptographic protocols differ from the classical ones in that their security is 
based on the laws of quantum mechanics, rather than the conjectured computational 
difficulty of certain functions. In this section we will describe the Bennett and Brassard 
(BB84) quantum cryptographic protocol [Q. 

8.1 The BB84 Protocol 

First let us describe the physical devices used by Alice and Bob. 

Alice has a photon emitter - a device which is capable to emit single photons that 
are linear polarized in one of four directions. The polarizations are described by the four 
unit vectors in here they are 61,62, hi, h2 given in (|r^). We will call the polarizations 
vertical, horizontal, diagonal, anti-diagonal ones and denote them respectively ( | , — 
, \ , / ). We have two bases in C^. One basis, = {61,62}, describes the vertical 
and horizontal polarizations. Another basis, = {hi,h2}, describes the diagonal and 
anti-diagonal polarizations. Note that one has 

\{6„h,)\ = 1/V2, z,j = l,2 (16) 

Bases with such a property are called conjugate. Note also that the vectors 61, 62 from 
the basis G^ and hi, /12 from the basis G^ are the eigenvectors of the Pauli matrices 
and respectively, see (|T^). 

Bob has a photon detector - a device that detects single photons in one of the 
two bases. 

Alice can send photons emitted by the photon emitter to Bob and Bob detects the 
photons with the photon detector. 
The Protocol. 

1. Alice chooses a random polarization basis and prepares photons with a random 
polarization that belongs to the chosen basis. She sends the photons to Bob. 



16 



2. For each photon Bob chooses at random which polarization basis he will use, 
and measures the polarization of the photon. (If Bob chooses the same basis as Alice 
he can for sure identify the polarization of the photon). 

3. Alice and Bob use the public channel to compare the polarization bases they 
used. They keep only the polarization data for which the polarization bases are the 
same. In the absence of errors and eavesdropping these data should be the same on 
both sides, it is called a raw key. 

4. At the last step Alice and Bob use methods of classical information theory to 
check whether their raw keys are the same. For example, they choose a random subset 
of the raw key and compare it using the public channel. They compute the error 
rate (that is, the fraction of data for which their values disagree). If the error rate is 
unreasonably high - above, say, 10% - they abort the protocol and may be try again 
later. If the error rate is not that high they could use error correction codes. 

As a result of the protocol Alice and Bob share the same random data. This data 
could now be used as a private key in the symmetric cryptosystems. 

Instead of polarized photons one can use any two level quantum system. One can 
consider also a generahzed quantum key distribution protocol using a d-dimensional 
Hilbert space with k bases, each basis has d states, 0, |3^, |3^, |3^ . 



8.2 BB84 Security 

In transmitting information, there are always some errors and Alice and Bob must 
apply some classical information processing protocols to improve their data . They 
can use error correction to obtain identical keys and privacy amplification to obtain a 
secret key. To solve the problem of eavesdropping one has to find a protocol which, 
assuming that Alice and Bob can only measure the error rate of the received data, 
either provides Alice and Bob with a secure key, or aborts the protocol and tells the 
parties that the key distribution has failed. There are various eavesdropping problems, 
depending in particular on the technological power which Eve could have and on the 
assumed fidelity of Alice and Bob's devices, P, ITBI, 117 . 



There is a simple eavesdropping strategy, called intercept-resend. Eve measures 
each qubit in one of the two basis and resends to Bob a qubit in the state corresponding 
to the result of her measurement. This attack belongs to the class of the so called 
individual attacks. In this way Eve will get 50% information. However Alice and Bob 
can detect the actions of Eve because they will have 25% of errors in their sifted key. 
But it would be not so easy to detect eavesdropping if Eve applies the intercept-resend 
strategy to only a fraction of the Alice's sending. 

In this case one can use methods of classical cryptography. We suppose that once 
Alice, Bob and Eve have made their measurements, they will get classical random 
variables a,j3 and e respectively, with a joint probability distribution p{x,y,z). Let 
/(a, j3) be the mutual information of Alice and Bob and I{a, e) and I{j3, e) the mutual 
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information of Alice and Eve and Bob and Eve respectively. Intuitively, it is clear that 
only if Bob has more information on Alice's bits then Eve then it could be possible to 
establish a secret key between Alice and Bob. In fact one can prove (see |^) the 
following 

Theorem 1. Alice and Bob can establish a secret key (using error correction and 
privacy amplification) if, and only if 

I{a,(3)> I{a,e) or I{a, f3) > I{(3,e). 

Let D be the error rate. Then one can prove that the BB84 protocol is secure 
against individual attacks if one has the following bound 

D<D,^ i^i^ ^ 15% 

There have been discussed also more general coherent or joint attacks when Eve mea- 
sures several qubits simultaneously. An important problem of the eavesdropping anal- 
ysis is to find quantum cryptosystems for which one can prove its ultimate security. 
Ultimate security means that the security is guaranteed against the whole class of 
eavesdropping attacks, even if Eve uses any conceivable technology of future. 

We assume that Eve has perfect technology which is only limited by the laws of 
quantum mechanics. This means she can use any unitary transformation between any 
number of qubits and an arbitrary auxiliary system. But Eve is not allowed to come 
to Alice's lab and read all her data. 



8.3 Ultimate Security Proofs 

Main ideas on how to prove security of BB84 protocol were presented by D. Mayers [|T3] 
in 1996. The security issues are considered in recent papers |jl3|, |18|, |19|, ^ |]3ll|- [^ . 
We describe here a simple and general method proposed in ^ The method is 



based on Theorem 1 from Sect. classical cryptography and on Theorem 2 from 

Sect. ^ on information uncertainty relations. 

The argument runs as follows. Suppose Ahce sends out a large number of qubits 
and Bob receives n of them in the correct basis. The relevant Hilbert space dimension 
is then 2". Let us re-label the bases used for each of the n qubits in such a way that 
Alice used n times the x-basis. Hence, Bob's observable is the n-time tensor product 
. . .^a^- Since Eve had no way to know the correct bases, her optimal information 
on the correct ones is precisely the same as her optimal information on the incorrect 
ones. Hence one can bound her information assuming she measures az ® ... ® Cz- 
Therefore c = 2~"/^ and Theorem 2 from Sect. ^ implies: 

/(a,e) + Iia,(3) < 2 log2(2"2-"/2) = n (17) 
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Next, combining the bound ( [T7| ) with Theorem 1 from Sect. |8.2| , one deduces that a 
secret key is achievable if I{a,l3) > n/2. Using 

J(a, P) = n{l~D log, D-{l~D) \og,{l - D)) 
one obtains the sufficient condition on the error rate D: 

-D\og,D-{l-D)\og,{l-D)<]^ 
i.e. D < 11%. This bound was obtained in Mayers proof (after improvement by P. 



Shor and J. Preskill|2T[]). It is compatible with the 15% bound found for individual 
attacks. 

One can argue, however, that previous arguments lead in fact to another result: 

c = 2~"/^. Indeed, Bob's observable is the n-time tensor product ax ® ® (Jx- Now, 

since Eve had no way to know the correct basis it was assumed that she measures 

(Jz ® ® However it seems if Eve does not know the correct basis then her 

observables cxj will be complementary observables to Ox only in the half of cases. In 
the other half of cases her observables Oi will be the same as Bob's, i.e. Gx- Therefore 
one gets: c = 

(l/V2)"/2 = 2-^1^. This leads to a lower error rate, instead of 11% one 

gets 4%. 



9 The EPRBE Quantum Cryptographic Protocol 
9.1 Quantum Nonlocality and Cryptography 

Bell's theorem states that there are quantum correlation functions that can not 
be represented as classical correlation functions of separated random variables. It has 
been interpreted as incompatibility of the requirement of locality with the statistical 
predictions of quantum mechanics ||22|. For a recent discussion of Bell's theorem see. 



for example |^ - and references therein. It is now widely accepted, as a result 
of Bell's theorem and related experiments, that "local realism" must be rejected. 

Bell's theorem constitutes an important part in quantum cryptography [Q. It is 
now generally accepted that techniques of quantum cryptography can allow secure 
communications between distant parties . The promise of some secure cryptographic 
quantum key distribution schemes is based on the use of quantum entanglement in 
the spin space and on quantum no-cloning theorem. An important contribution of 
quantum cryptography is a mechanism for detecting eavesdropping. 

Let us stress that the very formulation of the problem of locality in quantum me- 
chanics is based on ascribing a special role to the position in ordinary three-dimensional 
space. However the space dependence of the wave function is neglected in many dis- 
cussions of the problem of locality in relation to Bell's inequalities. Actually it is the 
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space part of the wave function which is relevant to the consideration of the problem 
of locality. 

It was pointed out in that the space part of the wave function leads to an 
extra factor in quantum correlation which changes the Bell equation. It was suggested 
a criterion of locality (or nonlocality) of quantum theory in a realist model of hidden 
variables. In particular predictions of quantum mechanics can be consistent with Bell's 
inequalities for some Gaussian wave functions. 

If one neglects the space part of the wave function in a cryptographic scheme then 
such a scheme could be insecure in the real three-dimensional space. 

We will discuss how one can try to improve the security of quantum cryptography 
schemes in space by using a special preparation of the space part of the wave function, 
see \m. 



9.2 Bell's Inequalities 



In the presentation of Bell's theorem we will follow p5|] where one can find also more 
references, see |^ for more details. The mathematical formulation of Bell's theorem 
reads: 

cos(a - /5) ^ E^^r]^ (18) 

where and 77/3 are two random processes such that < 1, |?7/3| < 1 and E is the 
expectation. Let us discuss in more details the physical interpretation of this result. 

Consider a pair of spin one-half particles formed in the singlet spin state and moving 
freely towards two detectors (Alice and Bob). If one neglects the space part of the wave 
function then the quantum mechanical correlation of two spins in the singlet state tpspin 
is 

Dspin{a, h) = {ipspinW -a® a- b\ipspin) = -a ■ b (19) 

Here a and b are two unit vectors in three-dimensional space, cr = (cti, cr2, C3) are the 
Pauli matrices and 



Bell's theorem states that the function Dspin{cL, b) Eq. (|T^) can not be represented 
in the form 

P(a,6)= j ^a, XHb, X)dp{X) (20) 

i.e. 

Dspinia, b) ^ P{a, b) (21) 
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Here ^(a, A) and 77(6, A) are random fields on the sphere, \^{a, A)| < 1, \ri{b, A)| < 1 and 
dp{X) is a positive probabihty measure, J dp{X) = 1. The parameters A are interpreted 
as hidden variables in a realist theory. It is clear that Eq. (PTI) can be reduced to 
Eq. (0). 

One has the following Bell-Clauser-Horn-Shimony-Holt (CHSH) inequality 

|P(a, b) - P{a, b') + P(a', b) + P(a', b')\<2 (22) 

From the other hand there are such vectors {ab = a'b = a' b' = -ab' = V2/2) for which 
one has 

\Dspin{a, b) - Dspin{a, b') + Dspin{a, b) + Dspin{a, b')\ = 2^2 (23) 

Therefore if one supposes that Dgpinia, b) = P{a, b) then one gets the contradiction. 

It will be shown below that if one takes into account the space part of the wave 
function then the quantum correlation in the simplest case will take the form g cos (a — 
(3) instead of just cos(q; — /5) where the parameter g describes the location of the system 



in space and time. In this case one can get the representation [25 



gcos{a- (3) = Ei^7]p (24) 

if g is small enough (see below). The factor g gives a contribution to visibility or 
efficiency of detectors that are used in the phenomenological description of detectors. 



9.3 Localized Detectors 

In the previous section the space part of the wave function of the particles was neglected. 
However exactly the space part is relevant to the discussion of locality. The complete 
wave function is -0 = (^/^^/^(ri, r2)) where a and P are spinor indices and ri and r2 are 
vectors in three-dimensional space. 

We suppose that Alice and Bob have detectors which are located within the two 
localized regions Oa and Ob respectively, well separated from one another. 

Quantum correlation describing the measurements of spins by Alice and Bob at 
their localized detectors is 



G{a,OAAOB) = {ij\a-aPo^^a-bPoM (25) 

Here Pq is the projection operator onto the region O. 

Let us consider the case when the wave function has the form of the product of the 
spin function and the space function ip = ifjspmfpijii '^2)- Then one has 

G{a, Oa, b, Ob) = ^?(Oa, OB)/^.p.„(a, b) (26) 
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where the function 

g{OA^OB)= [ |0(ri,r2)prfrirfr2 (27) 

JOaxOb 

describes correlation of particles in space. It is the probability to find one particle in 
the region Oa and another particle in the region Ob- 
One has 



0<g{OA,OB)<l (28) 

Remark. In relativistic quantum field theory there is no nonzero strictly localized 
projection operator that annihilates the vacuum. It is a consequence of the Reeh- 
Schlieder theorem. Therefore, apparently, the function g{OA, Ob) should be always 
strictly smaller than 1. 

Now one inquires whether one can write the representation 

giOA, OB)D,pUa, b)= J e(a, Oa, XMb, Ob, A)dp(A) (29) 

Note that if we are interested in the conditional probability of finding the projection 
of spin along vector a for the particle 1 in the region Oa and the projection of spin 
along the vector b for the particle 2 in the region Ob then we have to divide both sides 
of Eq. (H) to g{OA,OB). 

The factor g is important. In particular one can write the following representation 



H for < ^ < 1/2: 

2tt 



f dX 

gcos{a — f3)= / a/2^cos(« — A)a/2^cos(/9 — A) — (30) 
Jo 27r 

Let us now apply these considerations to quantum cryptography. 



9.4 The EPRBE Quantum Key Distribution 

Ekert ^ showed that one can use the Einstein- Podolsky- Rosen correlations to establish 
a secret random key between two parties ("Alice" and "Bob"). Bell's inequalities are 
used to check the presence of an intermediate eavesdropper ("Eve"). We will call 
this method the Einstein- Podolsky- Rosen-Bell-Ekert (EPRBE) quantum cryptographic 
protocol. There are two stages to the EPRBE protocol, the first stage over a quantum 
channel, the second over a public channel. 

The quantum channel consists of a source that emits pairs of spin one-half parti- 
cles, in a singlet state. The particles fly apart towards Alice and Bob, who, after the 
particles have separated, perform measurements on spin components along one of three 
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directions, given by unit vectors a and h. In the second stage Alice and Bob commu- 
nicate over a public channel. They announce in public the orientation of the detectors 
they have chosen for particular measurements. Then they divide the measurement 
results into two separate groups: a first group for which they used different orientation 
of the detectors, and a second group for which they used the same orientation of the 
detectors. Now Ahce and Bob can reveal publicly the results they obtained but within 
the first group of measurements only. This allows them, by using Bell's inequality, to 
establish the presence of an eavesdropper (Eve). The results of the second group of 
measurements can be converted into a secret key. One supposes that Eve has a detector 
which is located within the region Oe and she is described by hidden variables A. 

We will interpret Eve as a hidden variable in a realist theory and will study whether 
the quantum correlation Eq. (EBI) can be represented in the form Eq. (PO). From 



3]) and ( ]29|) one can see that if the following inequality 

g{OA,OB) <l/V2 (31) 



is valid for regions Oa and O b which are well separated from one another then there is 
no violation of the CHSH inequalities (|2^ ) and therefore Alice and Bob can not detect 
the presence of an eavesdropper. On the other side, if for a pair of well separated 
regions Oa and Ob one has 



9{Oa,Ob) > 1/V2 (32) 

then it could be a violation of the realist locality in these regions for a given state. 
Then, in principle, one can hope to detect an eavesdropper in these circumstances. 

Note that if we set g{OA, Ob) = 1 in (p9|) as it was done in the original proof of 
Bell's theorem, then it means we did a special preparation of the states of particles 
to be completely localized inside of detectors. There exist such well localized states 
(see however the previous Remark) but there exist also another states, with the wave 
functions which are not very well localized inside the detectors, and still particles in 
such states are also observed in detectors. The fact that a particle is observed inside the 
detector does not mean, of course, that its wave function is strictly localized inside the 
detector before the measurement. Actually one has to perform a thorough investigation 
of the preparation and the evolution of our entangled states in space and time if one 
needs to estimate the function g{OA, Ob)- 



9.5 Gaussian Wave Functions 

Now let us consider the criterion of locality for Gaussian wave functions. We will show 
that with a reasonable accuracy there is no violation of locality in this case. Let us take 
the wave function (j) of the form (j) = V'i(ri)V'2(r2) where the individual wave functions 
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have the moduh 

l^iWr = (^)3/2e-"^'•^/^ = (^)3/2e-^(r-i)V2 (33) 

Ztx zvr 

We suppose that the length of the vector 1 is much larger than 1/m. We can make 
measurements of Pq^ and Pqb for any well separated regions Oa and Ob- Let us 
suppose a rather nonfavorite case for the criterion of locality when the wave functions 
of the particles are almost localized inside the regions Oa and Ob respectively. In such 
a case the function g{OA, Ob) can take values near its maximum. We suppose that the 
region Oa is given by |rj| < 1/m, r = (t*!, T2, "/"s) and the region Ob is obtained from 
Oa by translation on 1. Hence V'i(ri) is a Gaussian function with modules appreciably 
different from zero only in Oa and similarly '?/'2(r2) is localized in the region Ob- Then 
we have 



g{OA^OB) = 




One can estimate ( P^ as 

g{OA,OB)<{^ (35) 

which is smaller than 1/2. Therefore the locality criterion (|3l|) is satisfied in this case. 

Let us remind that there is a well known effect of expansion of wave packets due 
to the free time evolution. If e is the characteristic length of the Gaussian wave packet 
describing a particle of mass M at time t = then at time t the characteristic length 
et will be 

It tends to {h/Me)t as t — > 00. Therefore the locality criterion is always satisfied 
for nonrelativistic particles if regions Oa and Ob are far enough from each other. 



10 Conclusions 

In quantum cryptography there are many interesting open problems which require fur- 
ther investigations. In quantum cryptographic protocols with two entangled photons 
(such as the EPRBE protocol) to detect the eavesdropper's presence by using Bell's 
inequality we have to estimate the function q^OajOb)- In order to increase the de- 
tectability of the eavesdropper one has to do a thorough investigation of the process 
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of preparation of the entangled state and then its evolution in space and time towards 
Alice and Bob. One has to develop a proof of the security of such a protocol. 

In the previous section Eve was interpreted as an abstract hidden variable. However 
one can assume that more information about Eve is available. In particular one can 
assume that she is located somewhere in space in a region Oe- It seems that one has 
to study a generalization of the function g^OAyOs), which depends not only on the 
Alice and Bob locations Oa and Ob but also on Eve's location Oe- Then one can try 
to find a strategy which leads to an optimal value of this function. 

In quantum cryptographic protocols with single photons (such as the BB84 pro- 
tocol) further investigation of the security under various types of attacks, including 
attacks from real space, would be desirable. 
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